The best way to protect SQL injection?

**Tim Van Wassenhove** · Dec 26 '06, 01:45 PM

Re: The best way to protect SQL injection?

Alucard schreef:

Hi all.
>
I would like to ask if Regular expression is the best way to deal with
SQL injection attack, and no mysql_real_esca pe_string() is used:

Imho there are two things you have to take care of:

1) Validate user input (a regular expression can be used)
2) Prepare the data for use in a MySQL query (mysql_real_esc ape_string
can be used for but these day's i'd opt for parameter binding instead...)

--
Tim Van Wassenhove <url:http://www.timvw.be/>

**www.gerardvignes.com** · Dec 26 '06, 04:15 PM

Re: The best way to protect SQL injection?

I wrote a simple PHP function for handling string arguments to a SQL
Query:

function SqlEscapedQuote dString($unesca ped_string) {
return '"' . addslashes($une scaped_string) . '"';
}

I never accept a SQL Query from the client, only an Argument to a SQL
Query on the server.

Gerard Vignes

http://www.GerardVignes.com

Seattle, WA

**Dikkie Dik** · Dec 26 '06, 07:35 PM

Re: The best way to protect SQL injection?

I wrote a simple PHP function for handling string arguments to a SQL

Query:
>
function SqlEscapedQuote dString($unesca ped_string) {
return '"' . addslashes($une scaped_string) . '"';
}

For me, this is way too simple.I use "whitelisti ng" for the SQL values:
any character that is valid SQL is allowed (though escaped for some
characters), and a string containing any other character is sent as a
hexadecimal string.

Best regards

**www.gerardvignes.com** · Dec 26 '06, 09:15 PM

Re: The best way to protect SQL injection?

The suggested way to protect user-supplied input to with MySQL involves
using a special PHP function for MySQL:

mysql_real_esca pe_string (PHP 4 >= 4.3.0, PHP 5)

PHP: mysql_real_escape_string - Manual

http://www.php.net/manual/en/function.mysql-real-escape-string.php

Escapes special characters in a string for use in an SQL statement

This takes the character set used by the database into account.

Gerard Vignes

http://www.GerardVignes.com

Seattle, WA

**Gordon Burditt** · Dec 27 '06, 01:45 AM

Re: The best way to protect SQL injection?

>I would like to ask if Regular expression is the best way to deal with

>SQL injection attack, and no mysql_real_esca pe_string() is used:
>
>if(preg_match( "[A-Za-z0-9](4,6)")){
print "Success!";
>}
>
>In the above example, only character and digit are allowed. Other

You mean letter and digit, don't you?
Certain characters (e.g. single quote, double quote, backslash) are
ones that cause trouble.

>injection technique is no used.

Your approach will not work where valid input (e.g. of human names)
includes characters which need to be escaped (e.g. 'Miles O'Brien')
and spaces. On the other hand, it may work fine (if you change the
length limit) for inputting license plate numbers and possibly
product serial numbers. It will NOT work for inputting serial
numbers on US currency, which sometimes contain '*' as the last
character.

>Is it correct? Did I make any foolish assumptions or mistakes? Please
>let me know.

**Dikkie Dik** · Dec 27 '06, 04:55 PM

Re: The best way to protect SQL injection?

The suggested way to protect user-supplied input to with MySQL involves

using a special PHP function for MySQL:
>
mysql_real_esca pe_string (PHP 4 >= 4.3.0, PHP 5)
>

PHP: mysql_real_escape_string - Manual

http://www.php.net/manual/en/function.mysql-real-escape-string.php

Escapes special characters in a string for use in an SQL statement

>
This takes the character set used by the database into account.

I know. And that is a severe problem for me. At the time I build the
queries, there may not even be a database connection. I do not want it
to work with a current database connection, I want it to work with _all_
database connections. SQL itself is just normal 7-bits ASCII (there may
be ways to configure the server otherwise, but I don't do that) and it
is only the strings that have to be escaped. So what is safer than
building the entire command in 7-bits ASCII?

Best regards

The best way to protect SQL injection?

The best way to protect SQL injection?

Comment

Comment

Comment

Comment

Comment

Comment